CVE-2022-2865
published 2022-10-17CVE-2022-2865: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible…
PriorityP421medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.66%
47.1th percentile
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 15.2 < 15.2.4 | 15.2.4 |
| gitlab | gitlab | >= 15.3 < 15.3.2 | 15.3.2 |
| gitlab | gitlab | >= 9.0.0 < 15.1.6 | 15.1.6 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
osv4.8MEDIUM
vendor_debian7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2022-2865: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was
vendor_gitlab·2022-10-17·CVSS 7.3
CVE-2022-2865 [HIGH] CWE-79 CVE-2022-2865: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was
CVE-2022-2865: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Debian
CVE-2022-2865: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v...
vendor_debian·2022·CVSS 7.3
CVE-2022-2865 [HIGH] CVE-2022-2865: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v...
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
VulDB
GitLab Community Edition/Enterprise Edition Label Colour cross site scripting (Issue 37087 / EUVD-2022-35099)
vuldb·2026-05-27·CVSS 4.8
CVE-2022-2865 [MEDIUM] GitLab Community Edition/Enterprise Edition Label Colour cross site scripting (Issue 37087 / EUVD-2022-35099)
A vulnerability labeled as problematic has been found in GitLab Community Edition and Enterprise Edition. Impacted is an unknown function of the component Label Colour Handler. Such manipulation leads to cross site scripting.
This vulnerability is uniquely identified as CVE-2022-2865. The attack can be launched remotely. No exploit exists.
The affected component should be upgraded.
GHSA
GHSA-gw7r-3j53-5c25: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15
ghsa_unreviewed·2022-10-17
CVE-2022-2865 [MEDIUM] CWE-79 GHSA-gw7r-3j53-5c25: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
OSV
CVE-2022-2865: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15
osv·2022-10-17·CVSS 4.8
CVE-2022-2865 [MEDIUM] CVE-2022-2865: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2865.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/370873https://hackerone.com/reports/1665658https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2865.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/370873https://hackerone.com/reports/1665658
2022-10-17
Published